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Graph transformation has been used to model concurrent systems in software engineering, as well 
as in biochemistry and life sciences. The application of a transformation rule can be characterised 
algebraically as construction of a double-pushout (DPO) diagram in the category of graphs. We show 
how intuitionistic linear logic can be extended with resource-bound quantification, allowing for an 
implicit handling of the DPO conditions, and how resource logic can be used to reason about graph 
transformation systems. 

1 Introduction 

Graph transformation (GT) combines the idea of graphs, as a universal modelling paradigm, with a 
rule-based approach to specify the evolution of systems. It can be regarded as a generalisation of term 
rewriting. Among the several formalisations of GT based on algebraic methods, the double-pushout ap- 
proach (DPO) is one of the most influential [1121 . Intuitionistic linear logic (ILL) has been applied to 
the representation of concurrent systems ||5][T][T5l, in relationship with Petri nets, multiset rewriting and 
process calculi. This paper reports work on the embedding of DPO-GT into a variant of quantified intu- 
itionistic linear logic with proof terms (HILL). The general goal is to build a bridge between constructive 
logic and the specification of concurrent systems based on graph transformation — with special atten- 
tion to model-driven software development. Representing model-based specifications of object-oriented 
programs as proof terms could be useful for mechanised verification. 

Hypergraphs are a generalisation of graphs allowing for edges that connect more than two nodes 
(hyperedges). Term-based algebraic presentations of DPO-GT usually rely on hypergraphs and hyper- 
edge replacement [7|. Intuitively, an hypergraph can be defined in terms of parallel compositions of 
components — where a component can be either the empty hypergraph, a node, or an edge component 
(an hyperedge with attached nodes). A transformation may delete, create or preserve components. 

It can be convenient to represent an hypergraph as a logic formula, where hyperedges are predicates 
ranging over nodes, and composition is represented by a logic operator. There are naming aspects that 
need to be addressed in representing transformation. In particular, (1) renaming is needed in order to 
reason about models up to isomorphism, and (2) the representation of transformation rules involves 
abstraction from component names. Transformation cannot be represented directly in terms of either 
classical or intuitionistic consequence relation, because of weakening and contraction. Accounts based 
on hyperedge replacement [7] and second-order monadic logic with higher-order constructors [8] rely on 
extra-logical notions of transformation. Substructural logics offer a comparatively direct way to express 
composition as multiplicative conjunction (0), and transformation in terms of consequence relation, with 
associated linear implication (^). This is the case with linear logic [jSl |9l |6l as well as with separation 



There are further semantic aspects to be considered. One is the double status of nodes. From the 
point of view of transformation, each node as graph component is a linear resource. From the point of 
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view of the spatial structure, a node represents a connection between edge components — therefore it is a 
name that may occur arbitrarily many times. Another aspect is the asymmetry between nodes and edges 
with respect to deletion. An edge can be deleted without affecting the nodes, whereas it makes little 
sense to delete a node without deleting the edges it is attached to. On the other hand, by default, edge 
deletion should not trigger node deletion. There are systems in which isolated nodes are disregarded, but 
this is not generally the case when dealing with hierarchical graphs ||3l|TT][l3l, especially in case nodes 
represent subgraphs. 

We focus on the problem of representing at the object level a constructive notion of renaming, which 
behaves injectively, unlike instantiation of quantified variables and substitution of meta-variables. Here 
we rely on a representation of names as terms that refer to locations, relying on the linear aspect of the 
logic, and extending the operational approach presented in |22|. Our goal is more specific than that of 
higher level approaches to names with binding based on nominal logic |[T3ll2TI . In section |2] we provide 
a categorical presentation of typed DPO-GT, independently of syntactical formalisation. In section [3] we 
present a form of linear lambda calculus with dependent types, extended with a notion of location (with 
I,), and a resource bound quantifier 3 to represents name hiding. In section |4] we show how GT systems 
can be embedded in HILL. 

1.1 Overview 

By extending ILL with quantification one can hope to deal with abstraction, and therefore to reason 
about GT systems in logic terms up to a-renaming. However, this requires coping with the difference 
between variables and names. As a simple example, consider a graph given by an r-typed edge r{x,y) 
that connects two distinct nodes x,y, and a rule that replaces the r-typed edge with a Z7-typed one, i.e. 
r{n\,n2) with b{n\,n2). In order to abstract from node names, assuming Q\,Q2 are quantifiers, we need 
to introduce an abstract representation Q\xy.r{x,y) for the graph. Intuitively, we could choose between 
(1) {Qixy.r{x,y)) —o {Qixy.b{x,y)) and (2) Q2xy.r{x,y) — o b{x,y) to represent the rule. It is not difficult 
to see that no interpretation of Qi , Q2 in terms of 3, V is completely satisfactory. 3xy.b{x,y) follows from 
b{ni,ni), and yxy.r{x,y) implies r{n\,n\). In general, neither existential nor universal quantification can 
prevent the identification of distinct variables through instantiation with the same term — i.e. they do 
not behave injectively with respect to multiple instantiation. 

Freshness quantification (1/1), associated to name restriction in the context of MF-logic |fT3lfT9ll, relies 
on a notion of bindable atom to represent names, an account of substitution in terms of permutation and 
of a-equivalence in terms of equivariance. A typing for restriction can be found in iQJl . However, with 
standard quantifiers, as well as with freshness, one has that 3x.a, Vx.a, \Ax.a are logically equivalent to 
a whenever x does not occur in a — we can call this property T] -congruence. 

In this paper, we define a quantifier (3) that keeps the above-mentioned graph-specific aspects into 
account — in particular, it behaves injectively, and it satisfies the algebraic properties of name restriction 
except for rj -congruence. 3 has a separating character (though in a different sense from the intensional 
quantifiers in Ii20|), by implicitly associating each bound variable to a linear resource. It has a freshness 
character in requiring the relationship between witness terms and bound variables to be one-to-one — 
this makes the introduction rules of 3 essentially invertible, unlike standard existential quantification. 

3 can be understood operationally by saying that, with its introduction, given an instance M :: a[D/x], 
all the occurrences of the non-linear term D (the witness) in the instance become hidden, and in a sense 
the witness becomes linear. In e{D\n).M :: 3x.a, the witness may still occur in the term, but it has been 
exhaustively replaced with a bound variable in the type, and it has become associated with the linear 
location n. We rely on a meta-level representation of hiding in terms of existential quantification, as 



16 



Resource-bound quantification 



usually found in dependent type theory. The difference lies with the exhaustive character (a freshness 
condition) and with the injective association to linear resources. In this paper we stop short of intro- 
ducing restriction v at the object language level. This could be done, by using as interpretation for 
3 terms such as vx.no CS) M[x/D]. However, extending lambda-calculus with restriction involves more 
than technicalities — see lfT8ll2T1l . Here we limit ourselves to consider hiding, by using terms such as 
£{D\n).M = rKSiDi^M, with D and n both hidden by the type. 

Non-linear terms can be contracted — i.e. two of the same type can be merged. This can explain 
multiple occurrences of a term in an expression, assuming the point of view of linearity as default. 
Technically, the approach we use for names consists of associating the naming term D to a location, in 
order to prevent contraction for the free variables in D (the nominal variables), hence for D itself, thus 
closing their scope. Assuming linearity for locations, T] -equivalence fails on one hand, and on the other 
the set of names turns out minimal — unlike in 1211 . where the name space is affine. 



2 Hypergraphs and their transformations 

A hypergraph {V,E,5) consists of a set V of vertices, a set E of hyperedges and a function s :£■—)■ V* 
assigning each edge a sequence of vertices in V. A morphism of hypergraphs is a pair of functions 
(j)v :Vi and 0£ : £1 — E2 that preserve the assignments of nodes — that is, (py os\ = S2 o 0^. By 
fixing a type hypergraph TG = {y,(S',ar), we are establishing sets of node types ^ and edge types (f 
as well as defining the arity ar(fl') of each edge type a € as a sequence of node types. A TG-typed 
hypergraph is a pair {HG,type) of a hypergraph HG and a morphism type : HG — TG. A TG-typed 
hypergraph morphism / : {HG\,type\) (HGjjtypej) is a hypergraph morphism / : HGi —>HG2 such 
that type2 o f = type\. 

1 r 

A graph transformation rule is a span of injective hypergraph morphisms L i — K — > R, called a rule 
span. A hypergraph transformation system (GTS) W = {TG,P, 71, Go) consists of a type hypergraph TG, 
a set P of rule names, a function mapping each rule name pto a. rule span n{p), and an initial TG-typed 
hypergraph Gq. A direct transformation G =^ H is given by a double-pushout (DPO) diagram as shown 
below, where (1), (2) are pushouts and top and bottom are rule spans. For a GTS = {TG,P,n,Go), a 
derivation Gq => G„ in is a sequence of direct transformations Go ==> Gi =h> ■ ■ ■ =^ Gn using the 
rules in ^. An hypergraph G is reachable in ^ iff there is a a derivation of G from Gq. 




8 h 

Intuitively, the left-hand side L contains the structures that must be present for an application of the 
rule, the right-hand side R those that are present afterwards, and the gluing graph K (the rule interface) 
specifies the "gluing items", i.e., the objects which are read during application, but are not consumed. 
Operationally speaking, the transformation is performed in two steps. First, we delete all the elements in 
G that are in the image of L \ 1{K) leading to the left-hand side pushout (1) and the intermediate graph 
D. Then, a copy of L\l{K) is added to D, leading to the derived graph H via the pushout (2). The 
first step (deletion) is only defined if the built-in application condition, the so-called gluing condition, 
is satisfied by the match m. This condition, which characterises the existence of pushout (1) above, is 
usually presented in two parts. 



Identification condition: Elements of L that are meant to be deleted are not shared with any other 
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elements — i.e., for all a; G L \ I{K), y £ L, m{x) = m{y) implies x = y. 

Dangling condition: Nodes that are to be deleted must not be connected to edges in G that are not to be 
deleted — i.e., for all v € Gy, for all e £ Ge such that v occurs in s{e), then e G mE{LE). 

The first condition guarantees two intuitively separate properties: first — nodes and edges that are 
deleted by the rule are treated linearly, i.e., m is injective on L\l{K); second — there must not be conflicts 
between deletion and preservation, i.e., m{L\l{K)) and m{l{K) are disjoint. The second condition 
ensures that after the deletion action, the remaining structure is still a graph, and therefore does not 
contain edges short of a node. 

As terms are often considered up to renaming of variables, it is common to abstract from the identity 
of nodes and hyperedges considering hypergraphs up to isomorphism. However, in order to be able to 
compose graphs by gluing them along common nodes, these have to be identifiable. Such potential gluing 
points are therefore kept as the interface of a hypergraph, a set of nodes / (external nodes) embedded into 
HG by a morphism i : I ^ HG. An abstract hypergraph i : I ^ [HG] is then given by the isomorphism 
class {/' : / HG' \ 3 isomorphism j : HG HG' such that j oi = /'}. 

If we restrict ourselves to rules with interfaces that are discrete (i.e., containing only nodes, but no 
edges), a rule can be represented as a pair of hypergraphs with a shared interface /, i.e., AI.L => R, 
such that the set of nodes / is a subgraph of both L,R. This restriction does not affect expressivity in 
describing individual transformations because edges can be deleted and recreated, but it reduces the level 
concurrency. In particular, concurrent transformation steps can no longer share edges because only items 
that are preserved can be accessed concurrently. 

Syntactical presentations of GT based on this semantics have been given, relying on languages with 
a monoidal operator, a name restriction operator and an appropriate notion of rule and matching [7|- 

3 Linear lambda-calculus 

We give a constructive presentation of an extension of intuitionistic linear logic based on sequent cal- 
culus, using a labelling of logic formulas that amounts to a form of linear A-calculus |[T]|2l|4l[l71- We 
build on top of a system with ILL propositional type constructors — o,(g),l, ! and universal quantifier V 
(we omit as case of the latter). Each of these can be associated to a A-calculus operator HHTTl- Linear 
implication (^) is used to type linear functions, and we use A for linear abstraction (with " for linear 
apphcation), to distinguish it from non-linear A (typed by V). We assume a-renaming and j8 -congruence 
for A and A (with linearity check for the latter). The operator associated to (g> is parallel composition, 
with nil as identity. The ! is interpreted as closure operator. We extend this system with a dependant 
type constructor [ to introduce a notion of naming, and with a resource-bound existential quantifier 3 
associated with linear hiding. 

We rely on a presentation based on double-entry sequents |[T6l[T7l . A sequent has form F; A h A/^ :: a, 
where A is the linear context, as list of typed linear variables (v, m,...) among which we distinguish 
location variables {n,m,...), and F is the non-linear context, as list of typed variables {x,y,...). We 
implicitly assume permutation and associativity for each context, and use a dot (•) for the empty one. 
N :: a is a. typing expression (typed term) where N is a. label (term) and a is a logic formula (type), h 
represents logic consequence, whenever we forget about terms. We need to keep track of the free nominal 
variables in order to constrain context-merging rules, and to this purpose we annotate each sequent with 
the set £ of such variables, writing [£];F; A h A/^ :: a, where £ is a subset of the variables declared in F. 

Derivable sequents are inductively defined from the axioms and proof rules in section 13. 1[ and with 
them the sets of well-formed terms and non-empty types. Notice that the definition of derivation includes 
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that of the free nominal variable set Z. 

Syntactically, terms are M = v \ x \ n \ nW \ Ni (g)A^2 I s{D\N).N \ Xx.N \ Xu.N \ A^fA^2 1 |W | 
discard F in A/^ | copy(A;), where non-linear terms (those that do not contain free linear variables) are 
D = X \ IN. Formulas (or types) are a = A | E{Di : ai,... ,D„ : a„) | 1 | ai I «i ^ «2 \^-OCi \ Vx : 
p. a \ 3x : 15 .a \ alD. Linear equivalence is defined by a=p =df (a ^ jS) (8" (j8 ^ a). Patterns are 
terms given by P = v | | « | nil | Pi (g)P2 I £{x\n).P \ IP \ copy(;c). They are used in let expressions, defined 
as letP = A^i inA^2 =df N2[Ni/P]. 

We say that 7 is an atomic type whenever either 7 = A,- or 7 = £",• (D 1 : ai , . . . , D^; : a^^ ) where ai , . . . , a^- 
are closed types. We take Aq, Ai , . . . to be atomic closed types, meant to represent GT node types. A node 
of type A is represented as non-linear variable of type !A (see section H)). We take Eo,Ei,... to stand for 
atomic type constructors, meant to be associated with GT edge types. A HILL type ^(Di :Ti,...,Dk:Tk) 
(by annotating terms with their types) is meant to represent a GT edge type E{Ai,.. .At), if we forget 
node terms, whenever Ti = !Ai, . . . = !Ajt. 

Semantically, we assume that v € LV, a set of linear variables, x G UV, a set of non-linear variables, 
and n G LOC C LV, a set of linear variables that evaluate to themselves and that we call locations. Given 
a derivable sequent Q., the non-linear context F can be interpreted as a partial function UV — TY such 
that F(;c) is either closed or undefined for each x, and the linear context A as a partial function LV TY, 
such that for each n G LOC, if defined A{n) has form a [D (location type) with a closed, and D non-linear 
term of type a. The free variables in Q. are those for which either F or A is defined. FVci{N) denotes the 
free variables occurring in N, FVa{cc) those occurring in a (subscripts omitted in case of no ambiguity). 
We require for A^ipc (restriction of A to LOC) to satisfy the following separation condition: for each 
n,m G LOC,n / m if defined FV {A\iQc{n)) PlFV (A|£oc(m)) = 0. We say that a location is proper if 
FV{A\ioc{^)) 7^ ®' improper otherwise. 

The location typing assignment n: ^[D says that D of type /3 is the naming term of n, that n is the 
location (jS -location) of D, and that the variables that occur free in D {nominal variables) are located 
at n. We denote by NamesQ the subset of well-typed terms that occur as naming terms in D.. We use 
FN{D) (resp. FN{a)) to denote the nominal variables that occur free in D (resp. a), and we denote 
by Z the set of the free nominal variables in Q., i.e. the free variables that occur in NamesQ. Variables 
become nominal when located. Semantically, a name can be thought of as a pair (D, n) (naming term and 
location). The separation condition implies that Alqc is injective in a strong sense — different locations 
are associated with names that do not share free variables. 

The separation condition required by the definition of A^ipc needs to be enforced explicitly, in all 
the context-merging rules. In order to express the constraint, we annotate sequents with the recursively 
computed set £ (in brackets) of the free naming variables. We take [£,£', x] to represent the disjoint 
union £ tt) £' tt) {x}, and [£ — x] to represent r\{x} if x G £ and £ otherwise. The introduction of loca- 
tions determines a change in the behaviour of the free non-linear variables that become nominal: by the 
separation condition, two free nominal variables with different locations cannot be identified. This corre- 
sponds to restricting the application of meta-level contraction — as implicit in the double-entry sequent 
formulation. Rule Contr in the proof system has a more technical character 1,17,1 and it is unaffected by 
the separation condition. 

The rule 3R introduces [ on the left, whereas 3L eliminates it. Notice that [ is not treated as standard 
constructor in the rules — we do allow it to appear in positive position with proper locations. There are 
no axioms and no right introduction rules for [, and it is not possible to derive a proper location from F, as 
all variables declared in F are of closed types. With the given restriction in place, only improper locations 
can be un-linearised, i.e. h (!a|,D) -o a[D with D closed, and moreover h (!Vx.a|,x) Vx.a|,x, but 
a tD ^ a |,D. 



p. Torrini & R. Meckel 



19 



Intuitively, the 3L rule binds a name (a naming variable and a location), extending the schema of 
the standard existential rule. The 3R rule creates a name and hides it (both naming term and location), 
replacing exhaustively the term with a bound variable in the type. Notice that locations may occur in 
negative positions either free, bound (with —o) or hidden bound (with 3), and may occur in positive 
positions only hidden (with 3), whether bound or free. A term is a location term when it evaluates to 
a location. As there is no right introduction of |., we do not need to consider complex location terms 
explicitly. The operator associated to 3 can be defined as 

e{D\n).M :: %c:^.a =df (D :: jS) (M :: a[D/x]) (g) (« :: jS [D] 

for a non-linear term D :: j8, with closed j8 and x not occurring in D, that additionally satisfies a 
freshness condition: FV{D)nFV{a) = 0. 

The definition of e is based on that of proof-and-witness pair associated with the interpretation of 
existential quantifier, in standard A -calculus [23 ] as well as in its hnear version HllTl — however, here 
a location is added as evidence that the witness is located. The location « is a linear term — this changes 
the nature of the operator, giving it a resource-bound character. 

The freshness condition ensures that the occurrences of the name are the same as the occurrences 
of the naming term in the main type, and makes the introduction rules of 3 essentially invertible, unlike 
standard existential quantification. The freshness condition is trivially satisfied in the case of 3L. In the 
case of 3R, it follows from the fact that a — a can be derived from ri,x, whereas D can be derived from 
r2 — assuming that Fi and r2 are disjoint, and that x does not occur in D. Unlike standard linear logic 
rules, the definition of 3R involves splitting the non-linear context. 

The following statements can be proved by induction on the definition of derivation, using the sep- 
arating condition and linearity of locations. Unlike in double-entry formulations of standard ILL, rule 
Weakening is explicitly needed here, in order to prove Cut elimination for the 3 case. 

Prop. 1(1) Rules Cut and .'Cut can be eliminated without loss for provability. 
(2) Given a derivation [I] ; T; A h : : a 

(2. a) it is possible to define a surjective function Loc from the free nominal variables in L to the 
set of the naming terms Names, such that Loc{x) = D iff x € FN{D) and D G Names. 
(2.b) given a non-linear closed type a such that neither a closed term D :: a nor a term of type 
Vx : a.a |,x are derivable from F, there is a one-to-one correspondence between the a-locations in 
negative positions and those (hidden) in positive positions. 

Prop. 2 The following formulas are provable 

^{3x:a.l5) = (3y:a.l5[y/x]) Cynotin/3) 
h (3xy : a.y) = {3yx : a.j) 
I- (3x: a.j8(g)7) = (j8(g)3x: a./) (xnotinjS) 
h {3x : a.p ^Y) (j3 ^ 3x : a.y) (x not in j3) 

Notice that in general, an operator v can be characterised as name restriction when it satisfies the 
following properties f/l . 

a-renaming: vy.N = vz.A'^[z/y], avoiding variable capture 
permutation: vxy.N = vyx.N 

scope extrusion: vx.N\(^N2 = M (?) vx.A'^2> with x not in A^i 
T] -congruence: vx.A'^ = A'^, with x not in N 
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By the first three formulas in Prop. |2l 3 satisfies properties of a-renaming, exchange and distribution 
over (g), and therefore e satisfies the corresponding properties of restriction. On the other hand, 3 does 
not generally satisfy Tj -congruence, i.e. it cannot be proved that a is equivalent to 3x. a when jc does not 
occur free in a (neither sense of linear implication holds). 

It is not difficult to see that the following formulas, which are all valid for existential quantification, 
fail for 3 

Prop. 3 (1) F {3x : j8. a{x,x)) -« 3xy : j8. a{x,y) 

(2) FVx:j3. (3z:j8.a(z,z)) ^ 3y:p.a{y,x) 

(3) {3yx: 15. ai{x)0a2{x)) (3x : j8.ai(x))(g)3;t: : jS.azW 

In fact, each of the above formulas can be given graphical interpretations that correspond to basic 
breaches of the DPO conditions |[22i . 

3.1 Proof rules 



[0];r;M a \- u a with a atomic ^^"^ [0];r,x :: a; - \- x a with a closed ^^"^ 

[L2];r2,x::p;-hN::a^a 

[Ei];ri;-hD::j8 [Ii,r2];ri,r2;A hM :: a[DA] ^ 

3R 

[Li,L2,FV{D)]-ri,r2;A,n::plDhe{D\n).M:: 3x:p.a 

[L,z];r,z::l5;A,n::piz,v::a\-N::Y 



[r];r;A,M :: 3z : j3. a h let e{z\n).v = u\nN ■.-.y 



3L 



£];r,x:: /3;AhM:: a [£];r;A,M :: g hM :: /3 

V/? ^ . , ^ ~ n 



[I-x];r;Ah Ax.M:: Vx:jS. a [r];r;A h Am : a. M :: a ^ jS 

[i:i];r; - hD :: j8 [r2];r;A,v :: a[D/x] ^Nwy 
[Ii,£2];r;A,M :: Vx: j3.a h let v = mD inA^:: 7 '^^ 

[£i];r;Ai hM:: a [r2];r;A2,M :: jS hA^:: 7 
[Ii,l2];r;Ai,A2,v :: a ^ j3 h let u = v^M mNwy ~^ 

[ri];r;Ai hM:: a [l2];r;l2;A2 h :: j3 [r];r;A,M :: a,v :: /3 h :: 7 



[Ii,r2];r;Ai,A2 hM(g)A^:: a®^ [I];r; A,w :: a j3 h let M(g)v = w in A^ :: 7 

[rl;r;AhA^:: a 

IR ^ . . , , T — IL 



[0];r;- h nil :: 1 [r];r;A,M :: 1 h let nil = m in A^:: a 



[El;r;-hM::a [£l;r,x :: a;AhA^ :: jS 



[I];r;- h !M:: !a ' [I];r;A,M ::!« h let !x = m in A^ :: j3 
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[I];r;AhA^:: a [t\;r,x:: a;A,u:: a\- N :: 7 

Weak — — ■ — Contr 



[i:];r,r;A h discard(r') \nN::a :: a;A h let m = copy(;c) in :: 7 

[E];r;AhA^:: a [r'];r;A',M :: a hM :: jS 



[r,r'];r;A,A' h let M = in M :: jS 

[r];r;-hD::a [I'];r,x :: a;A hM :: j3 
[r,£'[Fy(D)/x]];r;A[D/x] h let a; = D in M :: j3 

4 Graphs in HILL 



Cut 



\Cut 



It is possible to embed GT systems in HILL, along lines given in 11221 — though there the logic allowed 
only for variables as naming terms, making it harder to deal with hierarchical graphs. Here instead a 
node can be represented as non-linear term D wT where T = \A and A is an atomic closed type, for which 
we can assume no closed terms are given. This makes it possible to deal with granular representations in 
which nodes can be subgraphs. 

An edge can be represented as a dependently typed function variable u :: Vxi : T\,...,Xk '■ 
Tk.E{x\,. . . ,xu). An edge component can be derived as a sequent 

[Ii,... ,ri];r;M :: Vxi : Ti,...,Xk : Tk.E{xi,. . . ,Xk) huDi... Dt E{Di, . . . ,Dk) 

from the assumptions [Zi ] ; F; • h Di : : Ti ... [Lk] ,r, - \- Dk Tk. 
The same component with hidden node names can be represented as 

[L'];r;ni :: TilDi,...,nk :: Tk[Dk,u :: Vxi : Ti, . . . ,Xk : Tk.E{xi, . . . ,Xk) h 

£{Di\ni)...{Dt\nk).uxi... xu :: 3xi -.Ti,. . . ,Xk: Tt.E{xi, . . . ,Xk) 

where E' = [l.\,FV{D\), . . . ,Lk,FV (Dk)]. The empty graph can be represented as [0];r; • h nil :: 1. The 
parallel composition of two components [£i];r;Ai h Gi :: 71 and [r2];r;A2 h G2 72 
can be represented as 

[Ei,l2];r;Ai,A2hGi®G2::7i®r2 
As a further example, assuming [r];r; • h D :: T an isolated node can be represented as 

[L,FV{D)y,r;n ::TiDh £(D|«).nil :: 3x : T.l 

It is not difficult to see how an encoding of hypergraphs into HILL can be defined inductively along 
these lines. Let G be a typed hypergraph, and let it be closed (i.e. without external nodes). We can define 
a graph signature (A^,A^), where A^ are the locations that represent the nodes of G, and A^ are the 
linear variables that represent the edges of G. We call graph formulas those in the 1, (g), 3, V, [ fragment 
of the logic containing as primitive types only node and edge types, such that quantification ranges on 
node types only. We say that a graph formula 7 is in normal form whenever 7 = 3{x : T). a, where 
either a = 1 or a = £'i(xi) (g) . . . ®Ek{xk), with x::T a. sequence of typed variables. The formula is 
closed if Xj C x for each 1 < / < ^. G can be represented by a derivation 
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[FMA^)];r;A^,AghA^G::7 

where 7 is a closed normal graph formula that we call representative of G. This encoding can be 
extended to an abstract hypergraphs / — )• G, by representing edges with linear variables and internal 
nodes with locations A^ as before, and by representing interface nodes as free variables that can be A- 
abstracted. The representative yhas then form \/x\ ■.Ti,...,Xj: Tj.y, where / is a normal graph formula, 
and xi : T\, . . . ,Xj : Tj are the open nodes. This translation generalises that given in ||22]| . 

4.1 Transformation rules 

Graph transformation can be represented by linear inference. In particular, a direct transformation 
G H, where G,H are closed hypergraphs, can be encoded logically as —o jn, where /g, jn are 
representatives of G and H, respectively. Let %{p) = AK.L =^ /? be a DPO transformation rule with 
discrete interface, i.e. such that K is the set of the typed nodes that are shared between L and R, and such 
that none of them is isolated in both L and 7?. Then p can be represented logically as non-linear term 

Zp ::!Vxi : Tu...,Xk : Tk-Yi Yr 

where Jl, Jr are normal graph formulas, representatives of L and R respectively, and xi : Ti , . . . ,xj- : T^t 
represent the nodes in K. The ! closure guarantees unrestricted applicability, universally quantified 
variables represent the rule interface, and linear implication represents transformation. 

As shown in the double-pushout diagram (section the application of rule 7i{p) determined by 
morphism m to a closed hypergraph G, resulting in a closed hypergraph H, can be represented up to iso- 
morphism as a derivation of an H representative an = ^y - Ty.pn from a G representative aG = ^y - Ty.^c, 

based on Zp and on the multiple substitution [z : -f^ x : Tx] of the free variables in ji, jn, corresponding 
to the interface morphism d (not required to be injective) in the diagram. A transformation determined 
by an application of the rule can be proved correct, up to isomorphism, by the fact that the following is a 
derivable rule 

[0] ; r; • h aG=aa aa = ^yTTy. ai \zTt, ^ JTZ] ® oc 
[0] ; T; • h aH=aH' = 3yTl\..aR ^ ® ac ^ ^ 
[0];r;Vx : T^.aL h Wg ^ «// 

where z : C 3; : Ty, as G and H are closed. 

Prop. 4 The application of a transformation rule to a closed graph representative implies linearly a 
closed graph representative that is determined up to graph isomorphism by the instantiation of the 
rule interface variables (morphism d). The match determined by d (up to isomorphism) satisfies 
the gluing condition on both sides — with respect to the rule instance premise and the initial graph, 
and with respect to the rule instance consequence and the resulting graph — and therefore satisfies 
the DPO conditions (Proof: since 3 behaves injectively with respect to multiple instantiations, as 
from Prop. [22.b), and satisfies the properties of restriction in Prop. O. 

As to reachability, a sequent r;Pi,. . . ,Pk,Go \~ Gi, where F does not contain any rule, can express 
that graph Gi is reachable from the initial graph Go by applying rules Pi = Vxi.ai -<> ^i, Pk = 
Mxk-OLk —° pk once each, abstracting from the application order. A sequent r,Pi, . . . ,Pk,Go h G\ can 
express that Gi is reachable from Go by the same rules, regardless of whether or how many times they 
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are applied. The parallel application of rules Vxi .ai ^ jSi, Vl2-Ot2 can be represented as application 
of VxiX2.(o:i — o j3i) (ai — o Ih.), as distinct from Vxixa-tti <8) 0:2 ^ j3i j32. 

4.2 Example 

We give an example of logic derivation that represents the application of a transformation rule (graph- 
ically represented in Fig. 1), conveniently simplifying the notation, by making appropriate naming 
choices. 

r*;A(xi,X2) \-A{xi,X2) 
T*;B{x2)^B{x2) 
T*;C{xi)hC{xi) 
T*;D{xs,x^) 'rD{xs,x^) 

- (g>R* 



r*;A{xi,X2),B{x2), C{xi ) , D{x^,X(,) h 
C{x\) ®A{xi,X2) ®D{xs,x^) <^B{x2) 

r*hxi r*hx2 
r*hx5 r*hx6 

3/?* 

r*;?ii [xi,n2ix2,ns [x5,n^[x^, 

A(xi,X2),S(x2),C(xi),D(x5,X6) h Jh 

r* = r,x5,x6 

r;«i |,X1,«2L-^2,A(X1,X2),B(X2), 

3j3,j4 : a-i.C{xi)®D{y^,y^) h yn 



r;A(xi,X3) l-A(xi,X3) 
r;C(xi) hC(xi) 



®R 



r;C(xi),A(xi,X3) 

|-C(xi)®A(xi,X3) 

r h A3 ^ ; 

r;n3Lx3,C(xi),A(xi,X3) Ixi «2 L^2, 

h 3^2 : a2.C(xi) ®A(xi,y2) A(xi,X2),B(x2), 

^y^jA ■ 0C3.C{xi) 

|,xi,n2l^2,n3l^3,C'(xi),A(xi,X2),A(xi,X3),S(x2), 
(3^2 : a2.C(xi) 0A(xi,j2)) -o (33^3, 3^4 : o:3-C(xi) (g)D(3;3,y4)) h 
T; ni txi , «2 L-^2, «3 N , C(xi ) , A(xi ,X2) ,A(xi ,X3) ,S(x2) ,5\-'fii 

r = r',xi,x2,x3 



VL 



r';5h 7g^7^, 



3L* 



where graphs G,H and rule n{p) be represented as follows 

7g = : ai,X2 : a2,-«3 : a3-C(xi) (g)A(xi,X2) (8)A(xi,X3) (8>6(x2) 
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Figure 1 : Transformation example 



5=yyi: ai.(3j2 : a2.C(3;i) (g)A(3;i,3;2)) ^ (3^3, 3^4 : a3.C{yi)(g)D{y3,y4) 
Yh = 3zi : ai,Z2 : 0C2,Z3Z4 ■ a3-C(zi) (»A(zi,z2) ^£>(z3,Z4) ^Bfe) 

The derivation shows that the graph represented as Yh can be obtained by a single application to the 
graph represented as Yg of the rule represented as 5 . The transformation can be represented logically as 
sequent r';5 \- Yg ^ Yh^ easily provable by backward application of the proof rules, as shown. The fact 
that naming terms here are variables makes the book-keeping of free nominal variables straightforward 
(and annotation unnecessary). 



5 Conclusion and further work 

We have discussed how to represent DPO-GTS in a quantified extension of ILL, to reason about concur- 
rency and reachability at the abstract level. We focussed on abstraction from name identity, an aspect 
that in hyperedge replacement formulations of GT is often associated with name restriction Q. We 
used an approach that, with respect to nominal logic, appears comparatively closer to [211 than to ll20l 
— though our resource-bound quantifier is essentially based on existential quantification, and unlike 
freshness quantifiers does not seem to be so easily understood in terms of for all. 

We have followed the general lines of the encoding presented in ll22l . but we have relied on a more 
expressive logic, allowing for the use of complex terms as names. With this extension, it becomes 
possible to go beyond flat hypergraphs as defined in section |2j and to consider structured ones lITTl lBl. 
Moreover, it should be possible to deal with transformation rules that are not discrete, i.e. that include 
edge components in the interface, by shifting to a representation in which hyperedges, too, are treated 
as names. However, if such extensions do not appear particularly problematic from the point of view of 
soundness, they may make completeness results rather more difficult. 



p. Torrini & R. Meckel 



25 



References 

[1] S. Abramsky (1993): Computational interpretation of linear logic. Theoretical Computer Science 111. 

[2] N. Benton, G. Bierman, V. de Paiva & M. Hyland (1993): Linear lambda-calculus and categorical models 
revisited. In: E. Borger, G. Jiiger, Kleine H. Biining, S. Martini & M. Richter, editors: Proceedings of the 
Sixth Workshop on Computer Science Logic. Springer Verlag, pp. 61-84. 

[3] Giorgio Busatto, Hans-Jorg Kreowski & Sabine Kuske (2005): Abstract hierarchical graph transformation. 
Mathematical Structures in Computer Science 15(4), pp. 773-819. 

[4] I. Cervesato & F. Pfenning (2002): A linear logical framework. Information and Computation 179(1), pp. 
19-75. 

[5] Iliano Cervesato & Andre Scedrov (2006): Relating State-Based and Process-Based Concurrency through 
Linear Logic. Electron. Notes Theor. Comput. Sci. 165, pp. 145-176. 

[6] David Clarke (2007): Coordination: Reo, nets, and logic. In: FMCO 2007, LNCS 5382. pp. 226-256. 

[7] Andrea Corradini, Ugo Montanari & Francesca Rossi (1994): An abstract machine for concurrent modular 
systems: CHARM. Theoretical Computer Science 122, pp. 165-200. 

[8] B. Courcelle (1997): The expression of graph properties and graph transformation in monadic second-order 
logic. In: G. Rozenberg, editor: Handbook of Graph Grammars and Computing by Graph Transformation, 
1. World Scientific, pp. 313-400. 

[9] Lucas Dixon, Alan Smaill & Alan Bundy (2006): Planning as Deductive Synthesis in Intuitionistic Linear 
Logic. Technical Report, University of Edinburgh. 

[10] Mike Dodds & Detlef Plump (2008): From hyperedge relpacement to separation logic and back. In: ICGT 
2008 — Doctoral Symposium. 

[1 1] Frank Drewes, Berthold Hoffmann & Detlef Plump (2002): Hierarchical graph transformation. J. Comput. 
Syst. Sci. 64(2), pp. 249-283. 

[12] H. Ehrig, K. Ehrig, U. Prange & G. Taentzer (2006): Fundamentals of algebraic graph transformation. 
Springer. 

[13] Murdoch J. Gabbay & J. Cheney (2004): A Sequent Calculus for Nominal Logic. In: 19th Annual IEEE 
Symposium on Logic in Computer Science (LICS 2004). pp. 139-148. 

[14] Dan Hirsch & Ugo Montanari (1999): Consistent transformations for software architecture styles of dis- 
tributed systems. Electr. Notes Theor. Comput. Sci. 28. 

[15] D. Miller (1992): The pi-calculus as a theory in linear logic: preliminary results. In: Workshop on Extensions 
of Logic Progranmiing, number 660 in LNCS. Springer, pp. 242-264. 

[16] Frank Pfenning (1994): Structural Cut Elimination in Linear Logic. Technical Report, Camagie Mellon 

University. 

[17] Frank Pfenning (2002): Linear Logic — 2002 Draft. Technical Report, Carnagie Mellon University. 

[18] Andrew Pitts & Ian Stark (1993): Observable Properties of Higher Order Functions that Dinamycally Create 
Local Names, or: What's new? In: MFCS'93. Springer, pp. 122-141. 

[19] Andrew M. Pitts (2001): Nominal Logic: A First Order Theory of Names and Binding. In: TACS '01: Proc. 
4th Int. Symp. on Theoretical Aspects of Computer Software. Springer, pp. 219-242. 

[20] D. J. Pym (2002): The semantics and proof-theory of the logics of bunched implications. Applied Logic 
Series. Kluwer. 

[21] Ulrich Schoepp & Ian Stark (2004): A Dependent Type Theory with Names and Binding. In: Computer 
Science Logic '04. Springer, pp. 235-249. 

[22] Paolo Torrini & Reiko Meckel (2009): Towards an embedding of Graph Transformation in Intuitionistic 
Linear Logic. CoRR abs/0911.5525. 

[23] A. S. Troelstra & H. Schwitchtenberg (2000): Basic Proof Theory. Cambridge University Press. 



